public static function logOutUser()
{
$_SESSION['user']['username'] = "";
unset($_SESSION);
session_destroy();
Redirect::phpRedirect("start");
}
public static function login($username, $password)
{
/* We load the $dbConn variable as global to use it inside the function. */
global $dbConn;
/*
* We first need to sanitize the variables we got in order to avoid
* SQL injection attacks from malicious users.
*/
$username = $dbConn->real_escape_string($username);
$password = $dbConn->real_escape_string($password);
/*
* We need to get the user's salt based on his username in order to
* continue with his password authentication.
*/
$result = $dbConn->query("SELECT * FROM `accounts` WHERE `username`='{$username}';");
$salt = "";
$storedHash = "";
/* We get the salt and the stored hash. */
if ($result) {
/* We ensure that the username exists. */
if ($result->num_rows > 0) {
$row = $result->fetch_array();
$salt = $row["salt"];
$storedHash = $row["password"];
} else {
/* If the username does not exist we display a general
* error about invalid credentials and we exit because
* its a potential security risk to disclose more
* information about the nature of the error.
*/
new Message(12);
return;
}
}
/* We must now replicate the process we used at registration and
* create the hashed password in order to match it with the one
* used in the registration.
*/
$hashedPassword = hash("sha256", $salt . $password . $salt);
/* We now need to compare the storedHash with the one he entered
* (the user) as a password in order to login. If they match it's
* the correct user (or someone who knows his credentials).
*/
if ($hashedPassword != $storedHash) {
new Message(12);
return;
}
/* We log the user in so the system knows who he is and that he is online. */
User::logInUser($username);
/* We redirect him to his wallet dashboard. */
Redirect::phpRedirect("wallet");
}
<?php
include 'app/includes/header.php';
/* We first check if the user is logged in, before we show him tha page.
* Users who are not logged in are redirected back to the login page.
*/
if (!User::isLoggedIn()) {
Redirect::phpRedirect("start");
}
/* Check if the user has made a logout request. */
if (isset($_GET['logout'])) {
User::logOutUser();
}
?>
<div class="top-container">
<div class="row">
<div class="large-10 large-centered columns">
<img src="content/img/bow-small.png" class="logo"/>
<span class="user-logout">
Welcome
<span data-tooltip aria-haspopup="true" class="has-tip" title="Last login at <?php
echo $_SESSION['user']['lastLogin'] . ' from ' . $_SESSION['user']['lastIP'];
?>
">
<?php
echo $_SESSION['user']['username'];
?>
</span>
<a class="logout" href="wallet?logout">Log out <i class="fa fa-sign-out"></i></a>
</span>
<label id="eLbl">Email address</label>
<input type="email" name="email" id="eTxt"/>
<!-- <label class="chklbl"><input type="checkbox" name="chkSaveUsername"><span class="label-text">Remember Username</span></label> -->
<input type="submit" id="loginBtn" value="Login">
<a href="#" id="sign-up">Sign up for an account</a>
<a href="#" id="sign-in">Sign in with an account</a>
<?php
/* Check if the user is already logged in and if he is
* redirect him to his wallet panel.
*/
if (User::isLoggedIn()) {
Redirect::phpRedirect("wallet");
}
/* Check if the user has submitted the form. */
if (isset($_POST) && !empty($_POST)) {
/* We get the forms' submitted data. */
$formType = $_POST['formType'];
$username = $_POST['username'];
$password = $_POST['password'];
$repeat = $_POST['repeat'];
$email = $_POST['email'];
/* We check to see if the user wanted to login or register. */
if ($formType == "login") {
Account::login($username, $password);
} else {
if ($formType == "register") {
Account::create($username, $password, $repeat, $email);
